Do You Allow Webmail Use on Your Network?

rtobyr asks: "I don't allow users at my organization to use any third party e-mail. When users complain, I point out that we can't control the security policies of outside systems. End users tend to think that big business will of course have good security; so I ran a test of the 'Big Four': Hotmail, Yahoo Mail, AOL/AIM Mail, and GMail. Yahoo Mail was the only webmail provider to allow delivery of a VBS script. GMail was the only provider to block a zipped VBS script. End users also tend to think that a big business would never pull security features out from under their customers. Of course, we know that AOL and Microsoft have both compromised the security of their customers. I don't know of any security related bad press for Yahoo or Google. Three of my Big Four either allow VBS attachments or have a poor security track records. So, if you are a network administrator, do you limit your users' ability to use third party e-mail, and if so, do you allow for GMail or other providers that you've deemed to have secure systems and reputations?"

How?

[ellem]

Besides the obvious Content Filters how are you blocking them? A moderately bright young chap could proxify their way around that.

Re:How?

[Seumas]

Not to mention, who cares what the webmail services allow? Just because they allow a user to receive - say - a VBS file doesn't mean that you have to allow that onto your network or that you can't block such an attachment and allow the webmail.

Right Choice, Wrong Reasons

[Anonymous Coward]

The lad has made the correct decision, but for the wrong reasons. The number one reason is because you want all of your "business traffic" to go thru your corporate email system.

He should be asking himself, "Why do the people who work here feel they need to use the non-corporate system for business work?"

All my work email goes from my work account, personal goes thru gmail.

Also, if he doesn't allow people to use personal accounts for personal email, they'll just use the company email for that. Does he want that to happen?

Re:Right Choice, Wrong Reasons

[shaitand]

But there it is, if it is work related email then it is not part of your private life. If it is not work related then you shouldn't be sending or receiving it while at work.

Re:

[BrokenHalo]

If it is not work related then you shouldn't be sending or receiving it while at work.

If you insist on adopting this kind of totalitarian approach, don't be surprised if your employees screw you. As I said elsewhere, trust has to work both ways.

Re:Right Choice, Wrong Reasons

[Anonymous Brave Guy]

If it is not work related then you shouldn't be sending or receiving it while at work.

Hey, you could try banning personal phone calls at work, too. Let us know how that works out for you in a couple of years... if you're still in business.

Seriously, employees do not cease to become human when they walk through the office door. It is unreasonable (and indeed illegal, in some places) to expect them to work like machines, denied access to private communication with anyone outside the business during office hours, denied time off when they're sick or for medical check-ups, and so on.

Fortunately for all of us, it's rarely necessary to invoke such laws. Companies that abuse their staff (and that's exactly what this sort of thing is) will simply see all their staff walk, starting with the really good people, who find it easiest to find more pleasant conditions elsewhere. Meanwhile, companies with more enlightened, employee-friendly policies eat up good people for very modest costs and wonder what the problem is all about.

Re:

[jslater25]

I have been using the same arguments about webmail to my network admin. Questions that receive no answers:
Why is webmail blocked but USB ports allow anyone to plug and play a thumb drive? Couldn't someone bring a virus in the same way?
Why do we block webmail but no other websites/services are blocked? Shouldn't we worry about someone surfing for pr0n or possibly looking for warez?

Often, I have heard the argument that IT doesn't want to let information get leaked via webmail and IM's. But all computers at my

Re:

[ChadAmberg]

That's not really a good argument. Just because security isn't perfect doesn't mean its useless. You might as well be arguing about removing all antivirus and firewalls, because someone has a USB port in their system.

Re:How?

[vux984]

No site is ever 100% secure. IT/management generally shoot for the most bang for the buck, to get where the risk/cost ratio of a problem balances with the needs of their business objectives.

Why is webmail blocked but USB ports allow anyone to plug and play a thumb drive? Couldn't someone bring a virus in the same way?

And if they blocked up the usb ports, someone could come in with a SATA drive and a screw driver. Couldn't someone bring in a virus that way too? So why not install intrusion detection systems in all the cases...?? And on it goes.

The answer: risk/cost analysis indicates that email is by FAR the number 1 transport for viruses. Yes other vectors exist, but if you only deal with email you address the lions share of the risk.

Additionally, removing webmail is usually aligns with managements objectives, so blocking it generally gets immediate management support.

Why do we block webmail but no other websites/services are blocked? Shouldn't we worry about someone surfing for pr0n or possibly looking for warez?

The answer: risk/cost analysis again. You address the big problems before the little ones, and the little ones before the ones you don't even have (yet). IE - Knock out MSN/Yahoo/Gmail and you remove a huge chunk of the useless sites that staff ARE spending hours on. If its worth it, you could keep going after every porn or warez site too, but the returns rapidly diminish while the cost keeps going higher.

If surfing porn/warez was a rampant problem then you could expect management to address it with technology. But for most companies a policy against warez and porn is usually enough to keep the problem at minimal levels. (Hell, most of the time you don't even need formal policy, in my experience most people just 'know better' and don't have to be told that surfing porn at work is against policy and grounds to be fired.)

Weaning webmail addicts off their personal accounts, on the other hand, sometimes requires a little help from technology.

Re:

[rikkards]

Besides the obvious Content Filters how are you blocking them? A moderately bright young chap could proxify their way around that
Two fold method:
1. Content Filter
2. By an acceptable use policy stating the equipment is for work only and any deviance could lead to dismissal.

Maybe a bit draconian but we do have separate machines that are sandboxed that they can use for surfing "work-unfriendly" sites.

Re:How?

[fistfullast33l]

Our company uses a proxy server that redirects you to a warning page. I think most large organizations do that nowadays if they want to block something. I doubt you can proxy your way around it since you need the proxy to get out of the firewall, so basically you can't connect through port 80 at all. Of course, attempting to go around the proxy will probably get you fired anyways, so I don't try it.

Another reason, that isn't documented here, that people would want to block external communications (AIM, GMail, whatever) would be legal requirements to document any communication with a client. This would especially include banks, security companies, etc. I know that financial institutions are required to archive all email communication forever, literally. Morgan Stanley got into huge trouble because they didn't. In order to control the flow of information, most banks just block external email services so the content is easier to control.

re: how?

[ed.han]

monkeying w/ proxy servers is likely a violation of the acceptable usage policy as well, i should point out.

ed

Re:

[rizzo320]

Another reason, that isn't documented here, that people would want to block external communications (AIM, GMail, whatever) would be legal requirements to document any communication with a client. This would especially include banks, security companies, etc. I know that financial institutions are required to archive all email communication forever, literally. Morgan Stanley got into huge trouble because they didn't. In order to control the flow of information, most banks just block external email services so

Re:

[Seumas]

Sure, they may be required to archive information forever. I don't think that includes personal emails and personal phone calls. And if you work somewhere that you can't send a note to your wife or make a phone call to say you're going to be home late or ask how your spouse's doctor visit went, then it's time to get out. And I don't see how any private communications need to be archived.

That said, there are simple workarounds. If your employer has some sort of SOCKS proxy, that's very simple to SSH through.

Re:How?

[hazem]

Simply have a policy that states "email services outside of the control of this company are not to be used for business correspondence". Seems simple enough.

Except some people may NEED to do just that because of the stupid rules set up on the company mail servers.

For my work, I deal with a developer in another state and we have to exchange large files. From inside our network, I have way to ftp/ssh into his company servers to transfer the files. So, e-mailing is the only option. Our e-mail servers won't allow attachments that large.

So, we use gmail. It's not elegant, but we can easily send the files we need back and forth and actually get our work done.

Oh yes... our IT people are the same totalitarians you find everywhere (I used to be an admin, and back then, we actually tried to help our people do their jobs, not inhibit their work). So, they won't adjust the rules of our mail servers, or provide a way for me to connect to the other company's computers and transfer the files.

So there it is... IT's motto is "IT at the speed of business", but the reality is "business crawling at the bureaucratic speed of IT". It's like they believe that they are the revenue generating portion of the company and that the rest of the company exists to serve IT.

Sadly, that view is all too common.

Re:

[bushki3]

You are absolutely right about that view being too common.

I have extremely strict rules set up on my network. I am pretty sure that the only one that hasn't been broken (with my authorization) is the pr0n rule.

I constantly take shit from other admin's who pride themselves on being an ass about their rules, but I have found that the best way to get business done is for every rule to have an exception.

All webmail is banned, blocked, filtered, and otherwise prohibited on my network. However, there have been

Re:

[Genevish]

How often have GMail accounts been cracked and a companies IP been stolen because of that crack?

The problem with most security policies is they look at any potential angle of attack and block it, without regard to how likely that attack is versus the inconvenience/disruption of that block.

You might say that blocking third party email doesn't disrupt the function of the business, so it's no big deal. However, if you treat people like untrustworthy idiots, they're going to be less likely to want to go th

Re:

[BunnyClaws]

We do block the major web mail websites with content filtering.
Yes, A moderately bright young chap could proxy his way around the content filtering. We have had those moderately bright chaps get fired for doing it as well.

Re:How?

[AKAImBatman]

Yes, A moderately bright young chap could proxy his way around the content filtering. We have had those moderately bright chaps get fired for doing it as well.

Way to remove your best talent there, chief.

And drive away the possibility of any new talent.

Re:

[Rob the Bold]

If you are just a business programmer you don't get this because you can probably be replaced by someone with an H-1B visa.

And that, my friends, pretty much summarizes the arguments for and against expanding H-1B caps.

Re:

[AKAImBatman]

The really smart people that are talented and do research are usually given a setup that allows them to do the work they need in a separate environment from the rest of the company.

Oh, so you do let them past the restrictions? Officially sanctioned and everything, I see? So basically you're telling me that your best talent would have no trouble defeating your measures (as I surmised) so you don't even try to put them in place for them? Why don't you try putting those measures in place for the researchers, a

Re:

[bzipitidoo]

If you can afford to fire someone for using a proxy, must be quite a supply of unemployed moderately bright chaps out there, eager for any work. Not suffering any shortages or problems finding qualified people to hire, are you?

Re:How?

[0100010001010011]

I am one such "Moderately Bright Chap".

I have putty on my computer and I run everything through a SOCKS proxy. I have Firefox, Thunderbird (no webmail for me) and iTunes all going through one of my few shells.

I occasionally surf between 0 and 3 hours a day: fark, slashdot, ebay, etc. Last year I received the highest rating that someone of my salary level could. My boss, my coworkers think I'm a magic man, when I'm asked to get something done I get it done as fast as possible. Techno &/or 80's music tends to set a rhythm for my coding, despite internet radio being frowned on (not officially banned). My parents are going through a divorce. I like to e-mail both of them and my siblings during the day, but I like to keep that off of corporate mail. Sometimes I want to win an auction during work and sometimes I just need a detox.

With all due respect, you and your company can go fuck themselves. If I got the lowest rating, then yes, there's a problem. But you and your company are automatically removing people like me because we get stuff done AND we have personal lives.

Content filter the secretary not the MSMEs.

Re:

[rainman_bc]

Wow. Right now, I really wish there was a moderation option for "-1, Way Too Full of Himself."

Not really - he has a point... If you're considered a good employee that gets his work done, why should anyone care if you slack once in a while? I sometimes find myself slacking off on /. (irony here?).

Doesn't make me a bad employee unless I miss targets for stuff. GP is bang on. If I get stuff done, why should IT care if I waste some time checking my personal email?

And no, the whole "it can bring vbs files to

Re:

[Prof.Phreak]

Indeed. We constantly get requests to rename our distribution .exe file to .txt, put it in a .zip file, and send it as attachment... since plain .exe are rejected, as well as .zip files are rejected. But -then- we have to deal with angry users who cannot run our program.

Now, isn't that silly? If you don't think so, imagine explaining how to unzip and rename files to business folks... especially if their Windows is setup to hide file extensions (many have no idea what a file extension is!).

In my opinion, cor

Stupidity!

[cashman73]

These days, anybody that opens ANYTHING with a .vbs extension deserves whatever happens to their computer! Are users really that dumb?

Re:

[0racle]

He's talking about organizations. The end users do not own the desktop or the data it has access to and often treat it that way. On top of that they know it's someone else's problem so they don't care what happens.

Re:

[benbean]

Yes, yes they are.

Re:

[Edward Kmett]

Well, news flash, .js files can do the same thing through windows scripting host, and its not that unreasonable to try to open one to edit and view it and accidentally launch it through WSH instead because your browser has nicely decided to execute it locally.

Not a huge stretch for someone to make that malicious. I find myself more annoyed than not that you can't configure browsers these days to intelligently handle things that you just want to be able to view like .js/.cpp/.h files etc. I don't want it lau

Re:

[TheSHAD0W]

Subby is talking about a business environment, where a security failure like a user running a malicious script can have ramifications on the whole network. As a result he has the responsibility to keep users from having the opportunity to be stupid.

Re:

[ronanbear]

Sure, they're easily that dumb. Most can't tell the difference between a .vcf and .vbs

Re:

[AZScotsman]

Short Answer: Yes! Longer Answer: Oooooohhhhh Yeaaaaaaa! Anyone that doubts the collective idiocy of a user base most likely has never had to staff a corporate HelpDesk....

Re:

[russ1337]

>>> Are users really that dumb?

Yes, and in this order [mapsofworld.com]






Think about it.

Re:

[russ1337]

I really should have used this map [mapsofworld.com]

Re:

[kaizenfury7]

Hi 'cashman', this is your mom. As you know, it's a great chore being a mom and a housewife, I have to take your sister to soccer practice, your brother to basketball practice, and you to your chess practice. And when I drop everyone off, I go home, grab the Pine sol and my trusty swiffer to clean up the pig sty that you and I call home. During Oprah and the View commercials, I check my e-mail to remind Grandma to take her medications and your Uncle Leeeroy to stop 'using' Grandma's medications. I hope

Re:

[Aladrin]

And you deserve what happened to you when you opened it!

(Yes, nothing happened. And you SO deserved it.)

Re:Monopoly blames the user again!

[dedazo]

It's funny, but nothing happens to me when I notepad random.vbs

Your point?

Squirrelmail

[FreakyGeeky]

Where do you work? I'd like to know so that I do not inadvertently apply for work at your company.

Then again, I'm sure you've addressed all of your company's really important network concerns first before moving on to this. Or, maybe you were sure to restrict all of the workstations such that no one can change their desktop wallpaper and things like that.

Which webmail system do I use while at work? I use my own squirrelmail installation. I bet you'd really hate that!

Re:Squirrelmail

[brobak]

You know, its not always as sarcasticly simple as you want to make it out to be. The fact of the matter is, things like GLBA and SOX force IT departments to take these kinds of drastic measures whether we like it or not. They REQUIRE that you inventory 'customer sensitive data' and control the flow of that data. The CEO literally signs on the bottom line that the reports you give to the auditors are true. Not to the best of his knowledge or any cop outs like that. So, when the big guns come down from their gilded offices, and demand to know for a 'fact' that you have control over data, it doesn't matter that the steps you have to take might have little to no real world effect. You just have to take them. Yes, as a security professional, *I* understand that if I wanted to get customer sensitve data out of the network, I could write it on my own ass, and press it up against a window for the guy in the next building over to read. But my board of directors doesn't find that amusing. They know they are legally responsible now, and they must be seen to be doing *everything* possible to secure the data. This does include doing our best to block things like mail apps, IM apps, USB drives and the like. Personally, I can see MANY ways in which each of those things would streamline the business process, and provide actual performance and productivity increases for the business, but that doesn't matter because GLBA demands that if we were to use those things, we keep logs of ALL of the ways they were used for 3 years, that are indexed and searchable and online, and another 4 after that in archive format. So when you go to the accounting dept with your new budget with all these new equipment costs, and software costs, and you have to GUARANTEE legally that they can't be used in ways other than intended...guess what the simpler solution is? Thats right, they go away. And lets be honest, for every valid business purpose, there's an equal number of time wasting BS purposes for that stuff that expose the company to legal liability. And the fact of the matter is, if we have policies against it, procedures in place to prevent it, and you still manage to get it done, then we have a pretty damn good case in court to hang YOU out to dry and not the company. CYA for the big wigs, and frankly, for myself. I know as geeks and nerds we think we know best, but if you play hard enough, stuff does break. I know I've had my own little personal web host 'pwned' before, and thats being decently careful to lock things down. I can't imagine my 'lusers' having more access than they already do, and what they might 'accomplish' with that access. For my own sanity, our regulatory requirements, the CEOs CYAs, and to be able to support the secured environment that we do, things like you refer to so sarcasticaly would get you fired. We own that machine, we own the network its on, we own the bandwidth you use to connect to the outside world, and therefore, we get to say exactly what you get to do with it. If you don't like that, thats fine, I totally understand, leave. But sometimes, even though I personally don't like it, I 'get it'.

Re:

[DavidpFitz]

The fact of the matter is, things like GLBA and SOX force IT departments to take these kinds of drastic measures whether we like it or not.

[Disclaimer: I do risk and reg for a living]

Bull. Sarbanes Oxley says nothing of the sort. If you think it does, go read the regs. I don't believe you are intentionally lying, I just think you are misinformed and have no idea what you are talking about.

Re:

[brobak]

I listed both SOX and GLBA. And you are correct, section 404 says nothing of the sort. Its the fact that it is so vague, that our regulators and auditors have expanded on its requirements just to 'be safe'. Go ahead and look up some of the recent commentary by Mr. Oxley himself. They realize they've created a monster by being so damn vague. GLBA is the same way. I'm paraphrasing, but the language says basically 'put into place a system of controls, and document those controls'. Then my conversations with

Re:vague regulations

[evought]

This was a real problem early on with the Clean Air Act and Air Quality Monitoring regulations as well and still is depending on what state agencies you have to work with. Like, SOX, company officials must affirm that the data they submit is true and accurate and that they are in compliance when there is often significant disagreement over the meanings of terms, measurements, calibration practices, data collection, fraud prevention, and "compliance". Over time, standards for behavior develop and give compan

Re:Squirrelmail

[twbecker]

Congrats, you just pwnt the GP with the GIANT WALL OF TEXT!!.

Seriously man, paragraphs.

Re:

[FreakyGeeky]

I know SOX quite well, as internal SOX auditing is part of my job. Nice try. It seems like you're misinformed about SOX. SOX doesn't force IT departments to do anything, let alone "drastic measures."

Like I said in my original post, it's a good thing you're focused on the important activities of, "blocking mail apps, IM apps, USB drives and the like." You better ban laptops too! While you're at it, kill your users. They might *speak*. Well, you could rip out their vocal cords so they can't do that,

Shhh...don't tell him

[Atario]

If you can get to the internet, you can get to whatever you want. Just set up your own Squid proxy at home, get at it over SSH (tunneled via HTTP if you must...), et voila. Freedom from the self-appointed corporate mommies.

One thing for sure...

[Anonymous Coward]

I'm glad I don't work at your organization!

Seriously, webmail has so much use that blocking it is ultimately counterproductive -- the only equivalent "security" would be totally blocking net access.

If you are worried about productivity loss, well, I often use webmail so I can stay at work longer. Really, it's not hard to imagine that allowing people to use light net access for personal communication means that they do not have to physically leave work to do these things. It's a bonus for all.

If you are worried about security, any net access that allows submission of forms or uploading of files is equivalent security breach. As stated before, any moderately skilled hacker can configure a proxy to get data off your network.

You're crippling your users and kidding yourself.

Yes

[Ngarrang]

Simply put, yes.

We would prefer that the work e-mail not be used for personal mailings. One of the reasons is file storage space.

We are willing acknowledge that the parents are going to communicate with their kids, and other folks with friends and family. It makes for better employee morale when they are permitted access to web mail for such things, leading to less abuse of work systems. It is better to use e-mail than the phone, which needs to be left free for actual business calls with clients.

Are there security concerns? Though the poster found some concerns, those concerns are easily disarmed by a good anti-virus/anti-spyware program.

Sure, we could be rather draconian and put the kabosh on all of it, but it comes back to employee morale. A happy worker is a productive worker. Our workers are given the task of being responsible and are rewarded for their success.

Re:Yes

[Aadain2001]

I just wanted to respond to this post by saying that is exactly how it should be! Peoples' lives do not cease to exist when they walk in their employer's front door. It is much better to allow people to keep their work and personal lives separate by allowing webmail systems for person emails and cell phones for personal calls. Kudos to your company for recognizing that employees are people and if you treat them as such they will have a much better perception of their work place and be happier about working for you.

Re:

[Angostura]

I just want to respond by saying that the original poster *does* have valid security concerns, however. One possible solution, albeit a bit heavily engineered and expensive, might be to use virtual machines - one for work with restrictions, one that allows access to Gmail/whatever. Hmmm.

Re:

[rizzo320]

Mod parent up!!! Amen, brother. User education can prevent many of these problems. A combination of AntiVirus/Malware, and a good network configuration can prevent the rest.

Limiting usage like this just makes an employee dislike their job that much more, and just as you said, unhappy workers are not nearly as productive as happy ones.

Re:

[BrookHarty]

Morale to do ones job, I hate it when IT security thinks they have to protect me from myself, that I cant even do my job and have to get special (aka normal) engineer access to our own laptops.

I was blocked from using altavista, and couldn't translate some emails, and couldn't get approval to buy the software. IT security tends to treat engineers as call centers, and lock them down. Those engineers tend to leave the company due to crappy office politics. Morale is important.

Re:

[BobPaul]

This is exactly how it should be, and has been everywhere I've worked, including the couple of places where I was part of the IT group. I've seen sites like youtube, metacafe, et al blocked, but never webmail.

Blocking webmail just means you'll have more company signatures attached to forwards urging a boycott of Starbucks for being unamerican, grass roots campaigning for politicians, or a number of other things you're company doesn't officially support. Once that signature goes on there, someone's going to

Re:

[zCyl]

Precisely. It's one thing if a company wants to mandate (by policy, not by technology) that its employees use only internal email accounts for all business related communications, but security does not seem to be a legitimate reason to block webmail. Allowing limited personal use of the internet from work equipment is productive for employee morale, and it can provide short breaks which reduce stress, boost overall efficiency, and can increase creative solutions.

If you have to setup a non-networked comput

Where I work...

[DRAGONWEEZEL]

The big Net Admins in the sky tried to block web based e-mail from Comcast, Aol, G-mail, Hotmail, Yahoo, etc... then all the physicians freaked out and got pissed enough for them to change it back. Or at least that is the story I was told...

Shooting the messenger

[Jeremi]

Translation: my organizations' computers are not secure enough to safely access the Internet. This is somehow Google/Yahoo/MSN's fault.

Re:Shooting the messenger

[glwtta]

The only thing left to add is: ... and I'm a dick about it.

Users are a pain!

[ImperfectTommy]

It's safest when the users can't run any scripts or executables. With Vista, you can easily configure the UAC to stop such user nonsense.

Re:Users are a pain!

[walt-sjc]

Hah! With Linux, it's so much easier. I just don't give them a login for the system at all! Those pesky users just get to look at a pristine monitor and keyboard, but are not allowed to touch... Can't have them fucking up my nice clean install now can I?

Muahahaha!

Re:

[pe1chl]

Install and configure TrustNoExe and your users cannot run programs they have downloaded, no matter if via webmail, internet, usb sticks, ...

Re:

[jbrandv]

If the user has physical access to the computer you are fooling yourself if you think you can stop them with UAC.

Re:

[mlewan]

"It's safest when the users can't run any scripts or executables."

Isn't it safer when their only communication device is a pencil and a piece of paper?

Stupid

[dedazo]

I work at a very large company that allows unrestricted access to any webmail provider. Let me repeat that: You can use any webmail provider you want from within their network. So long as you use their proxy (obviously).

What's their secret? They take care of preventing stupid users from downloading crap themselves, meaning they scan at their proxy and/or firewall boundaries (I'm not a network admin here so I don't know exactly how it works).

This has been the policy for at least five years and they've never had a single problem. Never.

If a large financial services company can do it, I don't know why everyone else can't either. So you're asking the wrong question - instead, ask "how can I provide a better service to my users by allowing them to access their webmail and also maintain my network security?"

I've worked at companies that either completely or selectively block webmail access. Nothing personal, but you and other network admins like you suck rocks as far as I'm concerned. Trusting or distrusting the webmail provider because they do X or Y is supremely stupid because you're basically bending over for them and waiting for the inevitable vulnerability to show up. What, are you going to go to your CTO and say "well, I didn't trust Microsoft and AOL, but I thought Yahoo was OK! It's not my fault!"?

You should know better and you should do better. If you can't, just block all webmail and stop complaining about what other companies do or fail to do. It's your network and your responsibility.

Re:

[drinkypoo]

I work at a very large company that allows unrestricted access to any webmail provider. Let me repeat that: You can use any webmail provider you want from within their network. So long as you use their proxy (obviously). What's their secret? They take care of preventing stupid users from downloading crap themselves, meaning they scan at their proxy and/or firewall boundaries (I'm not a network admin here so I don't know exactly how it works).

We do the same thing at my place of work. We have a Cisco secur

At my company...

[truesaer]

They've blocked both webmail and instant messaging, but the reasoning is "document retention." ie, in case there's a lawsuit they want to guarantee they have all our communications archived. And since I work at a fortune 500 there's always a lawsuit.

I guess I understand that, but the bummer is that for a lot of us we don't work just your basic 9-5. If you work a lot its nice to be able to take care of a little personal business, in fact I think it probably increases productivity by making people more willing to hang around at work a little longer. So in that regard these bans are counterproductive.

I don't think IT people really think about stuff like that much...the ideal situation for IT isn't necessarily whats best for the enterprise. That said I can see how security and document retention are valuable goals...maybe webmail could provide some kind of mechanism to allow companies to hook into it and archive messages read or sent using corporate machines. Same for instant messengers. Then everyone's happy (except privacy advocates...)

May as well prohibit all web-browsing...

[mi]

Making a non-webmail page with links to nasty VBS scripts, etc. is just as easy as send an e-mail, so you are not really protecting your network by these annoying limitations... An attacker can send your charges an e-mail (at the corporate address) with a link to his script. And if you check all browsing (via scanning proxies), then you may as well leave webmails alone, for they'll be checked too, along with all other HTML pages.

You are not alone, unfortunately. I found, that whenever admins (pompously) argue for strict banishment of a particular "attack vector", they almost always ignore another vector for the same attack.

There could be one justification for banning external (non-corporate) means of communications, while at work — compliance and legal issues. A big bank, for example, does not want a broker to be able to claim, that a bank's trader ordered a (bad) trade via. GMail or cell-phone. But this only makes sense, when your official (corporate) communications get recorded and archived (unlike private webmail accounts and personal cell-phones), and can be played back.

In short, you have to remember, that you (an administrator) exist for the benefit and convenience of these people, not the other way around. So if they want to be able to access their webmail, you must have a much better reason than "you may get a virus" to deny it to them.

I bet, more productivity is lost, when an employee brings in flu and half the office gets sick. But no one is advocating forcing people to take vitamin C and wear scarves, right?..

Re:

[Hatta]

In short, you have to remember, that you (an administrator) exist for the benefit and convenience of these people, not the other way around.

You BOFH's especially need to remember this.

Re:

[drinkypoo]

In short, you have to remember, that you (an administrator) exist for the benefit and convenience of these people, not the other way around. So if they want to be able to access their webmail, you must have a much better reason than "you may get a virus" to deny it to them.

What? If they don't need it to do their job, that argument falls apart, and you must step back and fall on the argument that it's bad for morale if they don't get webmail.

I bet, more productivity is lost, when an employee brings in flu

Security makes me sad.

[rizzo320]

There are talks at my employer as well of limiting 3rd party mail usage (along with IM and other services) not just because of security, but because they want (or "need") to monitor all outgoing/incoming messages.

It's really depressing how limited our access to the Internet has become. Its mostly done to "boost" productivity or "prevent" litigation. Security concerns are now adding to that situation. I see a point in the not-so-distant future where businesses and corporations will be so worried about

Corporate email users are adults

[cryfreedomlove]

If there is a corporate policy on outside email usage then it sounds like a place I would not want to work. Please expect me to be an adult and I will act like one.

People do this?

[Procyon101]

Do people really chmod +x email attachments?!? I'd say your problem is in user education. Hell, any user knowledgeable enough to know how to set the executable flag should KNOW better!

Re:People do this?

[nine-times]

Insightful? I thought this person was trying to be funny.

IT Tough Guy

[Anonymous Coward]

This sounds less like a real Ask Slashdot question and more like "Hey look at me. I'm an IT fascist!"
Blocking webmail is pointless and serves only for you to needlessly flex your authority in the only part of the world you have authority: your company's network.
Seriously, if you are so paranoid about webmail, why allow internet to the desktop at all? Since you are so afraid of VBS, why don't you just lock out VBS execution at the desktop and keep your enterprise AV up2date?
Grow up, have kids, and annoy them with your stupid restrictions. Leave the people at work alone.

Much better solution

[codepunk]

Long, Long ago we just disabled vbs execution across the whole enterprise.. we allow access to any of these services.

A great topic and question!

[rindeee]

Man, was this ever timely. I just finished setting up a very complete solution for my current location (forward deployed military in the M.E.). Yes, of course I allow Webmail access. Everyone relies on it for 'reach-back' capability. What I do in an attempt to secure things is to setup a very complete firewall/filtering/etc. box. Is it perfect? No, but it's very effective. I'm running a Linux box with a slew of services(HAVP, P3Scan, ProxSMTP, HAVP, Privoxy, frox, ClamAV, RenAttach, Rules Du Jour and of course IPTables plus a bunch of others) and have had outstanding success. I recommend just using IPCop + BOT + CopFilter if you need something quick and relatively painless. I also do regular automated Nessus scans, etc. Man I love my job!

I allow it

[nine-times]

Honestly, I've always allowed webmail (and encouraged it) as a way to side-step a certain amount of responsibility for reporting users for things. It may sound crazy, but in my experience you can't stop users from e-mailing their friends, spouses, mistresses, and drug-dealers during the course of the work day.

I've had it happen where e-mails about an employee's drug habit get stuck in our spam filter, which means I saw them when I went through looking for false-positives. Suddenly, I'm in my own personal

I'd figure out a way to allow it

[Todd Knarr]

Speaking purely as a sysadmin, I'd block those sites utterly. Web-browser components are the biggest target of malware out there, it's bad enough when targeted at an e-mail client that can lock down scripting and such but Web-mail sites let that stuff through to a browser that has to allow scripting in a corporate environment. And if you're a business you've got your own e-mail system, no company e-mail should be going through a Web-mail system in the first place.

As a techie, no decision would affect me. I

Re:

[Todd Knarr]

Oh, and on follow-up, those outside e-mail addresses benefit the company too. When I'm travelling, I often can't reach the company mail system because it's not accessible outside the company network and the local firewalls and access setup at hotels often won't permit the VPN to connect properly. But almost always I can manage to get an SSH connection to my home machine through, and when I can't I can still use a Web browser to get at Web-mail, which means my bosses can reach me via my personal e-mail even

Using Webmail at work machine is NOT the issue

[GIL_Dude]

Really there are much more important things to block when it comes to any external mail account. For example, can your users set up a server rule (easy in Outlook/Exchange, probably in others too) to auto-forward their mail to an external service (whether a web mail or not)? If they can, then THERE is your bigger problem. External mail services don't make users abide by your strong password or Smart Card requirements. Their password is probably easily discoverable. They go on vacation and forward all their

we block everything except for IT people

[alen]

no webmail, no pop3 and no smtp relay unless you are on the golden list. not so much for information security, but for anti-virus purposes. we have antivirus on our exchange server and each PC that is updated hourly or daily. no one really knows the quality of the antivirus system of internet email or how often they update definitions

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:When users complain

[skoda]

The important thing is that you manage your corporate IT policies to make your job easier, and not to actually serve your customers: the employees who struggle to get their work done in spite of your draconian rules.

I work with similar issues: it can be interesting finding ways to get work done in spite of IT's (un)support and (un)help.

Re:

[Lehk228]

and work does not get done with viruses and worms rampaging on the network. work also doesn't get done when the boss goes to jail.

Re:When users complain

[99BottlesOfBeerInMyF]

Sure folks complain and I'm avoided like the plague at times. But lets see what non-maintenance down time have I needed? Zero. For me and my team the lines are clear cut and boundaries well established.

Thank you very much. Companies like yours are the reason companies like mine can hire brilliant and talented people away from bureaucratic nightmares and pay them 20% less while getting a significant amount more productivity from them. We have internal Web, IRC, chat, etc. servers. If your AOL IM is not working and it is stopping you from chatting with your girlfriend, IT is happy to help. They'll even grab you a beer from the fridge on the way to your desk. For smart people who know they'll spend a significant portion of their life at work, but who chose their work because they love it... there are companies like mine. You're treated like a real person instead of a cog. If you need to go home for the rest of the day while waiting for the plumber to come to your house, go ahead. Don't bother filling out paperwork or logging your time. So long as your work gets done, it's all to the good. If a friend is in town and stops by the office, go ahead and take a few hours to have a beer and play a video game with them in the lounge. Introduce them to your boss and coworkers.

We don't lock down Web access to any type of external site. We track everything, but the tracking system is open to all employees so if you want to see what your boss is doing, just log on and look. We don't seem to have a lot of IT emergencies either. Some of our old and out of date servers overheat or fall over now and again and we power cycle them. No big deal.

Every day I'm thankful I realized early in life that I did not want to take the top dollar offer for my work if it meant I had to put up with nonsense like you advocate. IT's job is not supposed to be to minimize the amount of work they need to do or even to prevent problems. It is supposed to be to facilitate the rest of the company getting work done. Happy employees work harder for the company and stay late to work on something or even come in on a weekend for some project. Happy employees do not quit and move to another company with no notice leaving the company in the lurch. Happy employees are not the largest and hardest to stop threat to the security of your network as they feel it is "wrong" to screw over the company and boss and people who treat them well and with understanding and who are their friends.

But by all means, keep making yourself hated and keep thinking your employees lives should stop and they should act like machines for 8 hours a day. We'll keep hiring away the smartest people you have.

In a free-wheeling educational environment

[abb3w]

...we allow it, but discourage it heavily. It's useful as a fallback measure; the local disaster plan admits we're going to use GMail as an interim step if central IT feels a burning need to clusterfsck the mail server while leaving the main network intact. However, as part of the annual data security lecture, we remind faculty and staff that sending FERPA-protected data over insecure network methods is a big no-no, that email is inherently insecure, and that web mail is doubly so. (Well, mostly; the local

Webmail != insecure

[MobyDisk]

My experience is that the companies that do this type of blocking do it because the workstations are inherently insecure. Security is not in the sites someone can visit or the specific file extensions that are allowed. It is in the setup of the network and the access the user has on their workstation. It's like making the kitchen safe by removing the sharpest knife from the drawer.

Re:

[Overzeetop]

You are correct. The truly secure kitchen would be no kitchen at all. Althernately, you could go with an "all spoon" kitchen. But producing sliced apples for your customers might be a litte more difficult that in the kitchen with knives.

Gmail is more usable!

[EastCoastSurfer]

My company hasn't flat out blocked web mail yet, but I'm sure they are on the way. IM was blocked awhile ago and a coworker got an email today from IT that she shouldn't check gmail anymore (she would just leave it up all day, which would let gmail do it's auto-refresh). The problem I have is that here at work we have 100MB of email space that gets backed up. On gmail I have 3-4gb. So while this one person got the email to quit using gmail the rest of the office is continuing to use gmail not just for personal mails, but also for work. Gmail is better than the IT solution, and users are smart enough to realize this. So as long as we have draconian, I know what's best for you IT people, we'll have users who do what they have to to get the job done.

Here's an idea! How about IT look to the users as customers and treat them that way.

Security.... for what?

[Quixadhal]

My question is... what exactly are you trying to secure? If you're talking about ensuring that sensitive corporate data isn't leaked outside the company, I hate to say it but, you really shouldn't be using unencrypted email in the first place. If you don't allow VPN's or other ways for people to access their email outside the building (I'm sure the salespeople LOVE you), then you may as well force your employees to use paper, or a custom client that only talks to other people on the LAN.

If you're worried about virus/malware/etc... web based email is no more or less safe than any other modern graphical pop3/imap client. All of them these days are HTML enabled, and unless you personally watch everyone click their messages, some will still run winbig.exe or whatever.

Personally, I'm getting a bit tired of people tossing the "security" word around as a reason to make things more difficult or expensive, without ever justifying what it is that needs the added security, and why.

It should be a matter of give and take

[thesandbender]

I was the IT administrator at my old company of about 500 consultants. After many discussions with the upper management I successfully argued for an open webmail policy because we had employees who regularly worked long and odd hours to accomplish our projects and it seemed only fair that we give them a method of private communications during their _overtime_. Quid Pro Quo. We were especially lenient with consultants who traveled all the time... except for a few areas those laptops were considered their

Not in my office (small business)

[sco_robinso]

I'm a network admin for a small-medium sized company, about 40 - 50 people. We are pretty liberal about our IT security policies. We're still at the size where we can place a great deal of trust in our staff, and they don't abuse it. For the most part, we don't block virtually any content. We've never had problems, but we're at a growth stage where we're needing to tighten up security a bit.

My girlfriend's company, which is a larger energy company of about 250 people, does however block some webmail content, as they recently had an employee download material that caused a security concern.

Personally, I don't think it's unreasonable to block web-based mail. However, since email is such a common place in daily life now, if I was to do that, I would make sure there were a few computers in a staff room where people could freely check their email, outside the companies' proxies and firewalls.

VBS and Firefox

[140Mandak262Jamuna]

Firefox and many other browsers are immune to VBscript. The very same idiots who ban webmail citing security concerns, blithfully allow IE to run rampage in their internal networks. What gives? If data leaks through a hole in IE, the brass will claim, "We followed the industry standard practices. We are not responsible. We are actully irresponsible. Go chase Microsoft". If they want to ban IE, they cant because MSFT has woven IE into the fabric of the OS. Even if they say only Firefox can be used, still the

General policy

[HikingStick]

The general policy is that the company's assets are for company business. That said, policy also allows for limited personal use, as long as it does not interfere with the primary business use of the company. This leaves enough room for most employees to happy, and it gives us the iron hammer if we ever need it (and we rarely have). We can block things outright at the perimeter if we need to do so (e.g. when there is a new virus propogating via email), but we generally trust our employees to be professio

Yes, we do for personal stuff

[kosmosik]

I work in small company (~30 employees). We do allow use of webmail. But only for your private stuff. You are not allowed (and it is clearly stated in contract and rules) use your private email for company related stuff (your work). Beside that you can use your private webmail as you wish.

It has to be said that we do not have any monitoring or censoring policies. It is OK for somebody to write personal email in work from time to time untill that person does her job right.

But you have a certainly flawed reas

Compromise -- Terminal Server

[narf501]

Due to being a thrall subject to corporate regs like SOX and others, I have to lock down user PCs, and restrict them behind a Draconian firewall, allowing access to only what they need to work.

However with Terminal Services clients, I enable it to be used in a client window, and make sure that "Turn off clipboard redirection" is off in group policy. All employees can connect to a cluster of Terminal Servers which is securely in a DMZ, isolated from the rest of the network. Only a few people have administrative rights to these machines, and the only connection the Terminal Server machines have to the internal network is a port to a dedicated domain controller. To further separate the employee "free for all" TS machines from the corporate network, they even are connected to the Internet on a different link. Of course, the TS machines have a few outgoing ports blocked at the router (port 25, duh), but its nowhere near as locked down as the internal corporate network.

Now, desktops can be locked down, but users can do pretty much what they want on their account on the terminal server (Webmail, IM, etc.) If a user gets malware, it can only affect their user accounts (assuming the malware gets past the AV scanner resident on the machine.) There is no known way the internal PCs can be infected by a compromised terminal server (if by chance something like this occurs), and confidential corporate material can't get out by accident via the clipboard (if someone wanted to get it out, they could manually type it, but that is a different story altogether.)

Re:

[truesaer]

I'm sure they're blocking the corresponding pop servers for free email services as well.

Re:

[DDLKermit007]

And I suspect you of being an ass-monkey too. Doesn't necessarily make it true however. It's on Wikipedia so it should be largely ignored. Conspiracy theorists, and tin foil hatters are the ones posting that bs.

Re:For business or personal use?

[dheera]

Exactly; in the name of freedom and promoting a healthy living culture in which employees are able to enjoy their life at work so they are more active and enthusiastic in being productive and creative when they need to, I feel it is extremely important to not impose restrictions (and especially IT restrictions) on the way employees work. In particular, other than offensive, insulting, dangerous, or pornographic content (which I understand), corporations should not block or attempt to control the websites its employees can access at work. An employee who can check his/her personal mail whenever he/she feels like will be much happier at the workplace than one who isn't.

Simply installing and updating a latest virus scanner on all corporate machines should be relatively simple.

Also, employees should be permitted to bring their own computers to use on the corporate network. How do you stop viruses?
1. Demand a periodic inspection of all Windows computers to ensure that the user is using an approved virus scanner that is set to automatically update.
2. Freely allow Linux machines to be plugged into the workplace. They are highly unlikely to cause any problems.
This is how at least two places I've worked at ran it, and employees were extremely happy.

Also, may I point out that my university (MIT) network has nearly no restrictions whatsoever on what you can plug in, what you can serve, and what you can run. I can run a mail server in the office if I want. I can run a web server in my dorm room. I can do essentially anything. The IS&T department here just has it structured pretty well so that nothing bad happens. Solid Unix/Linux servers, and automatic shut down of network drops that are spreading viruses or of Windows machines that appear vulnerable. It's great. I get freedom to do anything I want, and the network is very solid and reliable at the same time. I wish companies could do this too.

Re:For business or personal use?

[Knara]

background: I've worked IT full/part time for about 10 years now (geez) from desktop to network admin to site managing

Statement: In my experience the number of network admins that have the ability to adequately and competently run a network that both allows computing freedom (in reference to how you are saying) and is secure is very small.

I'd also note that I've seen this setup work a lot better with Universities than with corporate environments. Mostly because, insofar as I can tell personally, the network/systems admins/engineers are more concerned with enabling safe but wide-ranging activities in the university environment, as opposed to the corporate environment, where anything not expressly allowed is forbidden.

Re:

[nine-times]

I see what you're saying, but there's a difference in needs and motivations between a university and most companies. Universities specifically need freedom because they're largely interested in education (ok, maybe not really, but at least supposedly). Education requires freedom. Plus, the constant re-evaluation of the setup is educational. When you have a whole bunch of aspiring CS majors and academics without a whole lot of real work to do, you have a free workforce to constantly address the ever-chan

Re:

[HikingStick]

If it was sent from a client on our network, we have ways of finding it. Nothing that passes through a PC goes without a trace.